Thursday, October 02, 2014

Watering down data protection

It was never likely that people would be happy about paying directly for their water. But public resentment has been stoked further by the invasive questions on the Irish Water application forms, which demand PPS numbers for the householder and all children before the free allowances are granted.
That resentment was only exacerbated when people looked at the data protection notice on the website to discover that Irish Water claims the right to use our personal information to market to us via unsolicited text messages, emails, junk mail and telephone calls and even to send salesmen to “contact the customer… in person”.

What do they propose to sell us? The website says that Irish Water or its agents may contact us about “water related products or services”, whatever those might be. Bathtubs? Swimming lessons? Boats? Perhaps we should expect phone calls at dinnertime which begin “Hi there. I’m calling you today because your body is 66% water.”

Irish Water also claims the right to send our information outside of Europe, which would allow outsourcing of their operations (for example, call centres or IT support) to a low cost location such as India. As originally drafted, their website also stated that information would be disclosed if Irish Water was bought by a third party – though they have since deleted this last point, no doubt because it is too close to the political hot potato that is privatisation of the water system.

(Using PPS numbers also creates a fresh problem. Many residents in Ireland - such as foreign students and foreign pensioners - will not have PPS numbers. What is to happen to their allowances?)

Quite apart from the initial request for PPS numbers there is also a problem with ongoing storage. While Irish Water may need PPS numbers to verify water allowances initially, that is no reason to continue storing them once this is done. It is a fundamental rule that personal information should not be stored for longer than necessary – especially in cases such as this, where Irish Water would end up holding a vast database which would be vulnerable to both corrupt insiders and outside attackers. Their apparent intention to store PPS numbers in this way is likely to breach data protection law - particularly if Irish Water follow through on what appears to be a half-baked plan to use PPS numbers to track down tenants for non-payment. Such a use would clearly be incompatible with the purpose for which they claim to be collecting the information.

The situation is no better in relation to marketing. For example, the assertion that Irish Water can send us unsolicited text messages and emails unless we object is wrong. Positive, opt-in consent is required by law before this can be done. Similarly, Irish Water is lacking in the mechanisms it provides to opt-out of marketing. The website makes opt-out excessively difficult by providing only a postal address and telephone number and (because it is not a freephone number) violating the requirement that opt-out should be free of charge. Indeed, it has since emerged that Irish Water staff answering that telephone number are actually unable to register opt-outs in the way promised by the privacy statement.

In relation to transferring our information outside Europe, Irish Water fails again. The website claims that “by submitting data to Irish Water” you agree to such transfers. However the fiction that you consent by filling out the registration form is unsustainable – as Irish Water is a monopoly and there is no choice but to fill out the form then any supposed consent would not be “freely given” as required by European law. Any transfer outside Europe would have to be justified in some other way.

The beleaguered head of PR has appeared on Morning Ireland attempting to extricate Irish Water from this quagmire - stating for example that Irish Water would only be direct marketing via postal inserts with bills, not by phone calls or emails. However her ad hoc assurances are meaningless while the data protection statement still claims much wider rights.

These are fundamental failures to meet basic requirements of data
protection law and have already resulted in one change to the privacy
statement. The Data Protection Commissioner is now also involved, and it is safe to say that her office will also insist on further changes. However it is astonishing that it is only at this late stage that the privacy issues involved are being given the attention which should have been there from the start.

For more see this excellent series of posts from Daragh O'Brien, who has been on top of the issue from the start: 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10.

2 comments:

TJ - thanks for the hat-tip.Irish Water's continued insistence that they are "in compliance" is akin to them waving their hand and telling us "these aren't the droids you're looking for". Likewise their increasingly shrill insistence that they retain data for the duration allowed by law. I asked them today "Which law?"

No response.

This is a phenomenal case study of the benefits, and scope, of Privacy by Design and Information life cycle thinking. We're talking about that at length at IGQIE2014 on the 7th Nov. Http://igq.ie

"Rather than create an additional bureaucracy within Irish Water it would have been preferable to leave this within the existing state agency – for example, by simply adding the relevant amount to the child benefit payment." - it is likely DSP don't want to do this to prevent 'leakage' (!) of payments to non-residents who are entitled to child benefit, e.g. someone working in Ireland who has a child abroad. Child benefit accrues to the parent, not the child.